Re: How to edit inputs.conf to exclude a field bef...

vikas_gopal · ‎12-12-2016

I am using Windows Host Monitoring stanza in inputs.conf like

([WinHostMon://Service]
interval = 10
disabled = 0
type = Service)
to collect service information on the windows machine . I got following in splunk .

Type=Service
Name="AeLookupSvc"
DisplayName="Application Experience"
Description="Processes application compatibility cache requests for applications as they are launched"
Path="C:\Windows\system32\svchost.exe -k netsvcs"
ServiceType="Share Process"
StartMode="Manual"
Started=false
State="Stopped"
Status="OK"
ProcessId=0

I do not want to index Description and Path Field. Please suggest how I can achieve this.

Thanks
VG

Yorokobi · ‎04-30-2019

In your indexing tier's props.conf

[WinHostMon]
### This affects ALL WinHostMon source types for the v6+ add-on
SEDCMD-nodesc = s/([\r\n]+)Description=".+"//g
SEDCMD-nopath = s/([\r\n]+)Path=".+"//g

Or to apply to only WinHostMon's Service source

[source::service]
SEDCMD-nodesc = s/([\r\n]+)Description=".+"//g
SEDCMD-nopath = s/([\r\n]+)Path=".+"//g

dkeck · ‎02-28-2017

Please accept answer, if it was helpfull.

Thank you

dkeck · ‎12-12-2016

Hi,

there are historic questions regarding this topic , for example

https://answers.splunk.com/answers/109253/how-to-filter-or-extract-fields-before-indexing-time.html

Kind regards

How to edit inputs.conf to exclude a field before indexing?

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann